Firebox Edge x55e

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> ARM or PPC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
pedigree
DD-WRT Novice


Joined: 17 May 2010
Posts: 11

PostPosted: Thu Jun 03, 2010 23:50    Post subject: Reply with quote
Ive been really busy this week but Ill see if I can send it tomorrow - to the "donate hardware" address?
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17348
Location: Hesse/Germany

PostPosted: Mon Jun 07, 2010 13:57    Post subject: Reply with quote
contact them first for instructions
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
_________________
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."
mr_jackie
DD-WRT Novice


Joined: 07 Jun 2010
Posts: 1

PostPosted: Mon Jun 07, 2010 18:51    Post subject: Reply with quote
Is there anyone who can run of Edge OS correctly in Qemu? Is it possible under Windows Qemu?
pedigree
DD-WRT Novice


Joined: 17 May 2010
Posts: 11

PostPosted: Thu Jun 10, 2010 14:06    Post subject: Reply with quote
If i could figure out a way of extracting it or even extracting the firmware, I would try..
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Fri Jun 25, 2010 11:05    Post subject: Reply with quote
Hi,
Did you get any further with this? It's possible to access Redboot as this guy has done it:
https://forum.openwrt.org/viewtopic.php?id=14106
Shame he doesn't say how. Rolling Eyes

I notice that the first thing in your bootlog is '+'. This is normally generated by Redboot to indicate that the system has been power cycled. It maybe that Redboot has just been set to boot silently or something similar. Is there a delay between the '+' and the kernel booting? If so try Ctrl-C to access Redboot.

Steve
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17348
Location: Hesse/Germany

PostPosted: Fri Jun 25, 2010 12:10    Post subject: Reply with quote
can someone with an openwrt account ask him how he did access redboot, plz.
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
_________________
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sat Jun 26, 2010 2:00    Post subject: Reply with quote
I pm'ed him when I first read the post (some time ago) and received no reply. I'll try again.
A quick bit of googling shows two interstings things:
he's on myspace and checked it yesterday.
http://www.myspace.com/djkrztoff
he works or did work at watchguard.
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sat Jun 26, 2010 12:17    Post subject: Reply with quote
It's probably worth noting here for anyone searching that the X10, X20 and X55 are identical hardware. They were available with or without wireless. I suspect, but can't confirm, that you could add the mini-pci card for wireless but you'd have to drill the case for the antennas. See:
http://watchguard.info/docs/corporate/wg_edge-eDe-MFR_instructions.pdf
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17348
Location: Hesse/Germany

PostPosted: Sat Jun 26, 2010 18:06    Post subject: Reply with quote
indeed theres share the same hw cause u can buy sw licences to upgrade our unit to the next model.
i bought a x10 2 weeks ago but it hasnt arrived yet.

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
_________________
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Mon Aug 30, 2010 13:21    Post subject: Reply with quote
Any news on this box yet?

Steve
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Wed Sep 29, 2010 20:42    Post subject: Got my hardware Reply with quote
So I got hold of a box myself (99p from Ebay!) it didn't have a power supply but I had several suitable ones to hand, 12V 1.2A center positive.

So far I can replicate the experiences of 'pedigree' above. You have to hold the reset button while powering on to see the boot up on the rear serial connector (115200 bps).

As I suspected you can press Ctrl-C when the '+' appears to get Redboot access however it seems to be password locked. Sad

Steve
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sun Oct 03, 2010 12:53    Post subject: No Luck Reply with quote
Just an update.
After reading TFM I have restored my Edge to working order which is fun to play with but not any closer to replacing the firmware.
Some things that might save someone some time.
The default IP of the Watchguard firmware is 192.168.111.1.

I have failed to connect to Redboot via telnet so far.

The device can be reset to factory defaults by holding down the reset button when powering up. I'm uncertain how long it must be held but I think no more than 10 seconds because...
When you boot with the reset button pressed Redboot will boot a backup partition that then resets the main partition and config. If it is successful then the orange LED (marked 'Attn') will light. Only the backup partition has console output on the rear serial port.
The 'Mode' LED indicates a successful connection to WAN1, it will flash while trying to connect.

Internally the device has a surface mounted switch marked 'ON' or '1'. Default is ON. When I first received my box it was totally hosed, only the power led. Only after I moved the switch was I able to recover it. It appears to connect/disconnect a backup battery.

There are several internal headers. Haven't explored them yet. (second serial port? USB?)

I have tried guessing the Redboot password based on the default password for other manufacturers with no luck. Given that I don't even know how many characters it is and this box is supposed to be a security appliance I think I'm wasting my time!

Any suggestions or is it JTAG time?

Steve
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sun Oct 03, 2010 17:41    Post subject: Another quick update Reply with quote
The white plastic 4 pin header, JP1, at the front of the board, next to the mini-pci socket, is the second serial port. It's 3.3V so you'll need a converter.
The pinout is:
1: 3.3V
2: Rx
3: Tx
4: GND

On this port you get the full boot up sequence as well as system messages from the normal boot partition.
No console access though. Sad

Steve
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Thu Oct 07, 2010 15:13    Post subject: Reply with quote
I have confirmed that the switch on the PCB enables/disables the backup battery. Default is enabled. With it enabled going throught the factory reset procedure will restore the firmware but not your settings (local IP, admin logon etc...). Resetting with the switch off trully resets everything.
The box, unusually, has two flash types. Perhaps the 1MB NOR is battery backed?
Update: Nope doesn't seem likely. The actual chip is non volatile flash and it seems to remeber configuration changes across a reboot with the switch in either position.

Without using JTAG I am at a dead end.
My current attack angle is to try and get a root shell by expoiting a bug in the stock interface and then use the mtd command to write the flash.
However it seems that Watchguard haven't left any bugs for me to exploit! Rolling Eyes

Suggestions?

Steve
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Thu Oct 07, 2010 18:44    Post subject: Reply with quote
Some interesting new information.
I successfully downgraded my box to 8.0.3. In order to do this you must have either a valid 'livesecurity' or not connect the box to the internet until after the firmware change.
Upon first boot I got:
Code:

RedBoot partition parsing not available
cmdlinepart partition parsing not available
IXP425 Flash: Using static MTD partitions.
Creating 6 MTD partitions on "IXP425 Flash":
0x00000000-0x00050000 : "Redboot"
0x00050000-0x00080000 : "cfg0"
0x00080000-0x000b0000 : "cfg1"
0x000b0000-0x000c0000 : "mfg"
0x000c0000-0x000d0000 : "bootOpt"
0x000e0000-0x00100000 : "RedbootConfig"
Initializing TC58DVM82A...
Scanning for TC58DVM82A...
NAND device: Manufacturer ID: 0xec, Chip ID: 0x76 (Samsung NAND 64MiB 3,3V 8-bit)
Scanning device for bad blocks
Using static partition definition
Creating 5 MTD partitions on "NAND 64MiB 3,3V 8-bit":
0x00000000-0x00200000 : "SysA Kernel"
0x00200000-0x02000000 : "SysA Code"
0x02000000-0x03800000 : "SysA Data"
0x03800000-0x03a00000 : "SysB Kernel"
0x03a00000-0x04000000 : "SysB Code"


So it appears that Redboot and it's config are stored on the 1MB flash chip whilst the Watchguard firmware (normal and backup) are on the 64MB.
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 2 of 7
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> ARM or PPC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum